Scripting GPO Creation and Modification
When you install the Group Policy Management Console (GPMC) on your system, you gain some nifty command-line tools for managing group policies.
Still, some things have to be scripted if you're going to be efficient. Even though scripting with VBS would be more powerful, sometimes it's just easier to jump into Windows Shell scripting to get things done. Especially, since all the tools are already deployed in the environment to augment the batch files.
Below, we have a script that I tested to take a GPO that is created, and make duplicates of it, then edit the duplicates to change the SID so that they point to the newly created groups that match the relevant locations involved.
This took a few days to work out, but it's a good template for file content substitution.
I really need to start doing these in C# or Windows PowerShell...
rem - ASB (05 May 2006 / 09 May 2006): Generate Multiple GPOs for Restricted Group Membership
@ECHO OFF
CLS
rem -- Initialize Environment Variables
:Variables
SETLOCAL ENABLEDELAYEDEXPANSION
SET @DNSDOMAIN=HOMEDOMAIN.HOME
SET @COUNTRIES=C:\Scripts\Bat\Input\Corp_Countries.TXT
SET @COPYGPO=CSCRIPT "C:\Program Files\GPMC\Scripts\CopyGPO.wsf"
SET @GPO_NAME=Enables Access To Administer Servers
SET @GPO_BACKUP=GptTmpl-Save.Inf
SET @GROUP_CONTAINER=CN=Users,DC=homedomain,DC=home
SET @GROUP_NAME=Local Administration Group
SET @OLD_GUID1=S-1-5-21-507921405-1677128483-1343024091-519
SET @OLD_GUID2=S-1-5-21-507921405-1677128483-1343024091-519
rem -- Create GPOs Based On Countries, Then Edit Them
:DuplicateGPOs
ECHO Creating GPOs for Local Delegated Administration...
ECHO.
FOR /F "TOKENS=1 DELIMS=; " %%C IN (%@COUNTRIES%) DO (
FOR /F "TOKENS=2" %%G IN ('%@COPYGPO% "Template:%@GPO_NAME%" "%%C:%@GPO_NAME%" /SourceDomain:%@DNSDOMAIN% /TargetDomain:%@DNSDOMAIN% /COPYACLS ^| FIND "ID:"') DO (
SET @GPO_SOURCE=\\%@DNSDOMAIN%\SysVol\%@DNSDOMAIN%\Policies\%%G\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.Inf
NET GROUP "%%C_%@GROUP_NAME%" /DOMAIN /ADD >NUL 2>NUL
CALL :SwapGUID %%C "!@GPO_SOURCE!"
)
)
rem -- Reset Environment Variables and Exit Batch File
:ExitBatch
ECHO FINISHED: Creating GPOs for Local Delegated Administration!!
ENDLOCAL
GOTO :EOF
rem -- SUBROUTINE: Swap GUID of Admin Group for Local Group GUID
:SwapGUID
rem %1 = Current Country Code
rem %2 = Destination GPO INF File
REN "%~2" %@GPO_BACKUP%
FOR /F "TOKENS=1" %%I IN ('DSGET GROUP "CN=%~1_%@GROUP_NAME%,%@GROUP_CONTAINER%" -SID ^| FIND "S-1"') DO SET @NEW_GUID1=%%I
FOR /F "TOKENS=*" %%F IN ('TYPE "%~dp2\%@GPO_BACKUP%"') DO (
SET @CONTENT=%%F
SET @CONTENT=!@CONTENT:%@OLD_GUID1%=%@NEW_GUID1%!
ECHO !@CONTENT! >>"%~2"
)
GOTO :EOF
About Logik!
Andrew S. Baker aka ASB aka Logik!
Andrew is an accomplished, hands-on IT Executive with a solid track record of providing timely and cost-effective business solutions using technology. With over 16 years experience in Information Technology, he has proven to be effective both as a Team Leader and as an individual contributor in designing, deploying, securing and maintaining enterprise networks.
His personal interests include Astronomy, Basketball, Bible Study, Chess, Comics, Computers,
Family Life Ministries, Reading and Strategy/Role Playing games...
Some of his contributions include several whitepapers on technology and Information Security, the UltraTech Knowledgebase, various postings to technology mailing lists and forums, active participation on LinkedIn Answers, along with a number of interviews for articles published in industry magazines.
A condensed version of
Andrew's current resume is available here.